DEV Community

Kay for AWS Community Builders

Posted on • Updated on

Some notes about Amazon EKS IAM OIDC Provider

Step 1

iam:*OpenIDConnectProvider* permissions are not required when creating an EKS cluster with CreateCluster, which creates an OpenID Connect provider URL (OpenID Connect issuer URL) for the cluster (e.g. https://oidc.eks.ap-southeast-2.amazonaws.com/id/ABCABC111222333444ABCABC11122233).

And in CloudTrail, there are no *OpenIDConnectProvider* events logged.

Step 2

After (1), the cluster has an OpenID Connect issuer URL associated with it. To use IAM roles for service accounts, an IAM OIDC provider must exist for the cluster. See here.

Then you need to run ekctl utils associate-iam-oidc-provider, e.g.

$ eksctl utils associate-iam-oidc-provider --cluster=k-test-oicd --approve --region=ap-southeast-2 --profile test-oidc
Enter fullscreen mode Exit fullscreen mode

A Open ID Provider with the same URL as (1) is created.

For this step, this role needs to have at least the following permissions.

iam:CreateOpenIDConnectProvider
iam:GetOpenIDConnectProvider
iam:TagOpenIDConnectProvider
Enter fullscreen mode Exit fullscreen mode

CloudTrail does NOT show the events as well (e.g. CreateOpenIDConnectProvider).

Top comments (0)